
<!doctype html>
<html lang="en-US">
  <head>
  <meta charset="utf-8">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="apple-touch-icon" sizes="180x180" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/icon-Unit42-180x180.png">
	<link rel="icon" type="image/png" sizes="32x32" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/icon-Unit42-32x32.png">
	<link rel="icon" type="image/png" sizes="16x16" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/icon-Unit42-16x16.png">
	<link rel="manifest" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/site.webmanifest">
	<link rel="mask-icon" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/safari-pinned-tab.svg" color="#000000">
	<meta name="msapplication-TileColor" content="#000000">
	<meta name="theme-color" content="#000">
        <script type="text/javascript">
var main_site_url = 'https://www.paloaltonetworks.com';
var maindomain_lang = 'https://www.paloaltonetworks.com';
function getParameterByName(name, url = window.location.href) {
	    name = name.replace(/[\[\]]/g, '\\$&');
	    var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'),
		results = regex.exec(url);
	    if (!results) return null;
	    if (!results[2]) return '';
	    return decodeURIComponent(results[2].replace(/\+/g, ' '));
	}
	var container_q = getParameterByName('container');
	var d_lang = 'en';	
	if(container_q != '' && container_q != null){	    
	    sessionStorage.setItem('container',container_q);
	    	    location.href = 'https://unit42.paloaltonetworks.com/blackcat-ransomware';
	}
</script>
<style type="text/css">
@font-face{font-family:'Merriweather';font-style:normal;font-weight:300;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.eot');src:local('Merriweather Light'),local('Merriweather-Light'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:italic;font-weight:300;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.eot');src:local('Merriweather Light Italic'),local('Merriweather-LightItalic'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:normal;font-weight:400;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.eot');src:local('Merriweather Regular'),local('Merriweather-Regular'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:italic;font-weight:400;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.eot');src:local('Merriweather Italic'),local('Merriweather-Italic'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:normal;font-weight:700;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.eot');src:local('Merriweather Bold'),local('Merriweather-Bold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:italic;font-weight:700;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.eot');src:local('Merriweather Bold Italic'),local('Merriweather-BoldItalic'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.svg#Merriweather') format('svg')}


@font-face{font-family:'Decimal';font-style:normal;font-weight:500;font-display:swap;src:local('Decimal Medium'),local('Decimal-Medium'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Medium-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Medium-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Medium-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:italic;font-weight:500;font-display:swap;src:local('Decimal Medium'),local('Decimal-Medium'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-MediumItalic-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-MediumItalic-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-MediumItalic-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:normal;font-weight:600;font-display:swap;src:local('Decimal SemiBold'),local('Decimal-SemiBold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Semibold-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Semibold-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Semibold-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:italic;font-weight:600;font-display:swap;src:local('Decimal SemiBold'),local('Decimal-SemiBold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-SemiboldItalic-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-SemiboldItalic-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-SemiboldItalic-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:normal;font-weight:700;font-display:swap;src:local('Decimal Bold'),local('Decimal-Bold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Bold-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Bold-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Bold-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:italic;font-weight:700;font-display:swap;src:local('Decimal Bold'),local('Decimal-Bold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-BoldItalic-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-BoldItalic-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-BoldItalic-Pro.otf') format('opentype')}    

.nav {
    display: flex;
    flex-wrap: wrap;
    padding-left: 0;
    margin-bottom: 0;
    list-style: none;
}
dl, ol, ul {
    margin-top: 0;
    margin-bottom: 1rem;
}
.nav-link {
    display: block;
    padding: .5rem 1rem;
}
.productNav2021Component .btn {
    flex-grow: 0;
    flex-shrink: 0;
    display: inline-block;
    font-family: Decimal,Arial,"Helvetica Neue",Helvetica,sans-serif;
    font-weight: 600;
    color: #141414;
    text-align: center;
    vertical-align: middle;
    user-select: none;
    background-color: transparent;
    border: 2px solid transparent;
    border-radius: 50px;
    transition: box-shadow .15s ease-in-out;
}

.productNav2021Component .btn-primary{
    display: inline-flex;
    align-items: center;
    text-decoration: none;
    max-width: 100%;
    text-align: left;
    background-color: #fa582d;
    color: #141414;
    position: relative;
}
.productNav2021Component .btn-primary.focus,.productNav2021Component  .btn-primary:focus{
    color: #141414;
    border-color: #00c0e8;
}
.productNav2021Component .btn-primary:hover, .productNav2021Component .btn-primary-outline:hover,  .productNav2021Component .btn-black:hover, .productNav2021Component .btn-white:hover {
    background-color: #fb7652;
}
.productNav2021Component .btn{
    height:auto;
}
.productNav2021Component .btn:hover {
    color: #141414;
    text-decoration: none;
    border-color: transparent;
}
.productNav2021Component .btn-dark,.productNav2021Component .btn-outline-dark{
    display: inline-flex;
    align-items: center;
    text-decoration: none;
    max-width: 100%;
    text-align: left;
    background: 0;
    color: #fff;
    position: relative;
}
.productNav2021Component .btn-dark i, .productNav2021Component .btn-outline-dark i {
    width: 20px;
    height: 20px;
    margin-left: 15px;
    flex-grow: 0;
    flex-shrink: 0;
    display: inline-block;
    background-size: contain;
    background-position: center;
    background-repeat: no-repeat;
    background-image: url('https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-white.svg');
}
.productNav2021Component .btn-dark:hover{
    color: #999;
}
.productNav2021Component .btn-dark:not(:disabled):not(.disabled):active,.productNav2021Component .btn-dark:hover{
    background-color: transparent;
    border-color: transparent;
}
.productNav2021Component .btn-dark:not(:disabled):not(.disabled):active:focus{
    box-shadow: none;
}
.productNav2021Component .display-2{
    font-family: Merriweather,Georgia,serif;
    font-weight: 400;
    color: #5f5f5f;
    font-size: 14px;
    line-height: 24px;
} 
.panClean .ar-1-1 img,.panClean .ar-4-3 img,.panClean .ar-3-2 img,.panClean .ar-3-4 img,.panClean .ar-12-17 img,.panClean .ar-16-7 img,.panClean .ar-16-9 img{
    position:absolute;
    width:100%;
    height:100%;
    object-fit:contain;
    font-family:'object-fit: contain;'
}
.panClean .ar-3-2{padding-bottom:66.6666667%}
.panClean .ar-1-1,.panClean .ar-4-3,.panClean .ar-3-2,.panClean .ar-3-4,.panClean .ar-12-17,.panClean .ar-16-7,.panClean .ar-16-9{display:inline-block;width:100%;height:0;overflow:hidden;position:relative;margin:0}
.panClean .ar-16-9{padding-bottom:52.25%}
.panClean .ar-3-4{padding-bottom:133.3333333%}
.productNav2021Component .container,.productNav2021Component .container-fluid,.productNav2021Component .container-sm,.productNav2021Component .container-md,.productNav2021Component .container-lg,.productNav2021Component .container-xl{width:100%;padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}

/** [Start] custom css, not copied from main site **/
.productNav2021Component a, button, input[type=reset], input[type=submit]{
    transition: none;
}
.panClean .productNav2021Component .prisma-2021-nav-main .btn.btn-primary {
    height: auto;
}
.pan-search-coveo-header .magic-box-clear{
    display: block!important;
}
.no-scroll{overflow:hidden !important}
/** [End] custom css, not copied from main site **/
@media (min-width: 576px){
.productNav2021Component .container-fluid {
    width: auto;
    margin-left: 7.14285714%;
    margin-right: 7.14285714%;
}
}
@media(min-width:768px){.productNav2021Component .btn{padding:13px 24px;font-size:16px;line-height:20px}}
@media(min-width:768px){.productNav2021Component .btn{padding:13px 24px;font-size:16px;line-height:20px}
.productNav2021Component .btn-light,.productNav2021Component .btn-dark{padding-left:0;padding-right:0}
.productNav2021Component .btn-link{padding:5px 0}
.productNav2021Component .btn-lg,.productNav2021Component .btn-group-lg>.btn{padding:20px 40px;font-size:18px}
.productNav2021Component .btn-sm,.productNav2021Component .btn-group-sm>.btn{padding:10px 20px;font-size:14px}
}
@media(max-width:767.98px){.productNav2021Component .btn{padding:10px 20px;font-size:14px;line-height:18px;}}
@media(max-width:767.98px){
    .productNav2021Component .btn-dark{padding-left:0;padding-right:0}
}    
.wpp-meta {
    display: none !important;
}
</style>   
<link rel='stylesheet'  href='https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css' type='text/css' media='all' />
<link rel='stylesheet' href='https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.css' media='all' />
<link rel='stylesheet' href='https://www.paloaltonetworks.com/etc/clientlibs/clean/panClean/prisma/defered.min.css' media='all' />
    <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />
<link rel="alternate" hreflang="en" href="https://unit42.paloaltonetworks.com/blackcat-ransomware/" />
<link rel="alternate" hreflang="ja" href="https://unit42.paloaltonetworks.jp/blackcat-ransomware/" />
<link rel="alternate" hreflang="x-default" href="https://unit42.paloaltonetworks.com/blackcat-ransomware/" />

	<!-- This site is optimized with the Yoast SEO plugin v18.3 - https://yoast.com/wordpress/plugins/seo/ -->
	<title>Threat Assessment: BlackCat Ransomware</title>
	<meta name="description" content="BlackCat ransomware (aka ALPHV) is notable for its use of the Rust programming language and an aggressive approach to naming and shaming victims." />
	<link rel="canonical" href="https://unit42.paloaltonetworks.com/blackcat-ransomware/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="Threat Assessment: BlackCat Ransomware" />
	<meta property="og:description" content="BlackCat ransomware (aka ALPHV) is notable for its use of the Rust programming language and an aggressive approach to naming and shaming victims." />
	<meta property="og:url" content="https://unit42.paloaltonetworks.com/blackcat-ransomware/" />
	<meta property="og:site_name" content="Unit42" />
	<meta property="article:published_time" content="2022-01-27T14:00:27+00:00" />
	<meta property="article:modified_time" content="2022-03-09T15:46:07+00:00" />
	<meta property="og:image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/Unit42-ransomware-21-illustration_yellow.png" />
	<meta property="og:image:width" content="1587" />
	<meta property="og:image:height" content="850" />
	<meta property="og:image:type" content="image/png" />
	<meta name="twitter:card" content="summary_large_image" />
	<!-- / Yoast SEO plugin. -->


<link rel='dns-prefetch' href='//www.google.com' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel="alternate" type="application/rss+xml" title="Unit42 &raquo; Threat Assessment: BlackCat Ransomware Comments Feed" href="https://unit42.paloaltonetworks.com/blackcat-ransomware/feed/" />
<meta property="og:likes" content="20"/>
<meta property="og:readtime" content="10"/>
<meta property="og:views" content="42,863"/>
<meta property="og:date_created" content="January 27, 2022 at 6:00 AM"/>
<meta property="og:post_length" content="2676"/>
<meta property="og:category" content="Malware"/>
<meta property="og:category" content="Ransomware"/>
<meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/malware-2/"/>
<meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/ransomware/"/>
<meta property="og:author" content="Amanda Tanner"/>
<meta property="og:author" content="Alex Hinchliffe"/>
<meta property="og:author" content="Doel Santos"/>
<meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/"/>
<meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/alex-hinchliffe/"/>
<meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/doel-santos/"/>
<meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/>
<meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/>
<meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/>
<meta property="og:post_image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/Unit42-ransomware-21-illustration_yellow.png"/>
<script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"BlogPosting","headline":"Threat Assessment: BlackCat Ransomware","name":"Threat Assessment: BlackCat Ransomware","description":"BlackCat ransomware (aka ALPHV) is notable for its use of the Rust programming language and an aggressive approach to naming and shaming victims.","url":"https:\/\/unit42.paloaltonetworks.com\/blackcat-ransomware\/","mainEntityOfPage":"https:\/\/unit42.paloaltonetworks.com\/blackcat-ransomware\/","datePublished":"January 27, 2022","articleBody":"Executive Summary\r\nBlackCat (aka ALPHV) is a ransomware family that surfaced in mid-November 2021 and quickly gained notoriety for its sophistication and innovation. Operating a ransomware-as-a-service (RaaS) business model, BlackCat was observed soliciting for affiliates in known cybercrime forums, offering to allow affiliates to leverage the ransomware and keep 80-90% of the ransom payment. The remainder would be paid to the BlackCat author.\r\n\r\nBlackCat has taken an aggressive approach to naming and shaming victims, listing more than a dozen on their leak site in a little over a month. The largest number of the group\u2019s victims so far are U.S. organizations, but BlackCat and its affiliates have also attacked organizations in Europe, the Philippines and other locations. Victims include organizations in the following sectors: construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components and pharmaceuticals.\r\n\r\nUse of BlackCat ransomware has grown quickly for a variety of reasons (for comparison, AvosLocker had only listed a handful of victims publicly within two months of becoming known). Effective marketing to affiliates is a likely factor \u2013\u00a0in addition to offering an enticing share of ransom payments, the group has solicited affiliates by posting ads on forums such as Ransomware Anonymous Market Place (RAMP).\r\n\r\nThe malware itself is coded in the Rust programming language. Though this is not the first piece of malware to use Rust, it is one of the first, if not the first, piece of ransomware to use it. By leveraging this programming language, the malware authors are able to easily compile it against various operating system architectures. Given its numerous native options, Rust is highly customizable, which facilitates the ability to pivot and individualize attacks.\r\n\r\nThe threat actors leveraging BlackCat, often referred to as the \"BlackCat gang,\u201d utilize numerous tactics that are becoming increasingly commonplace in the ransomware space. Notably, they use multiple extortion techniques in some cases, including the siphoning of victim data before ransomware deployment, threats to release data if the ransom is not paid and distributed denial-of-service (DDoS) attacks.\r\n\r\nPalo Alto Networks detects and prevents BlackCat ransomware with the following products and services: Cortex XDR and Next-Generation Firewalls (including cloud-delivered security subscriptions such as WildFire).\r\n\r\nDue to the surge of this malicious activity, we\u2019ve created this threat assessment for overall awareness. Full visualization of the techniques observed, relevant courses of action and IOCs can be viewed in the Unit 42 ATOM viewer.\r\n\r\n\r\n\r\nTypes of Attacks Covered\r\nRansomware, DDoS\r\n\r\n\r\nRansomware Families Discussed\r\nBlackCat\u00a0\r\n\r\n\r\nRelated Unit 42 Topics\r\nCybercrime, Conti, LockBit 2.0, Hive, Avos\r\n\r\n\r\n\r\nTable of Contents\r\nBlackCat Ransomware Overview\r\nTechnical Details\r\n\u2022 BlackCat Config\r\n\u2022 Associated Tools\r\nPost-compromise Activities\r\nCourses of Action\r\nConclusion\r\nAdditional Resources\r\nAcknowledgments\r\nBlackCat Ransomware Overview\r\nSoliciting via known cybercrime forums, BlackCat is seeking affiliates to deploy its ransomware. Affiliates keep an 80-90% share of the ransom payment, with the remainder going to the BlackCat author. These affiliates are interviewed and vetted before being accepted into the RaaS group. Once the affiliate is confirmed, they are given unique access to a Tor-based control panel that hosts the affiliate\u2019s access.\r\n\r\nWritten in the Russian language, the control panel gives the affiliate updates and announcements about deploying and operating the ransomware as well as troubleshooting tips to help the affiliate be more successful in their campaigns. Along with the control panel, a name and shame blog is also hosted, targeting victims who have either ignored or refused to pay the ransom. This site has been regularly updated with new victims since the initial discovery of the group.\r\n\r\nAs shown in Figure 1 below, many RaaS operators use the double-extortion technique of exfiltrating data prior to encryption, which provides them greater leverage in negotiating ransom funds. As of December 2021, BlackCat has the seventh largest number of victims listed on their leak site among ransomware groups tracked by Unit 42 \u2013 impressive considering that this group has only been publicly known since November 2021. While Conti (ranked second) has been around in various guises for almost two years, it is surrounded at the top of the chart by emerging families. LockBit 2.0 and Hive both have at least six months\u2019 head start on BlackCat, but this highlights a worrying trend that newcomers (or reformed groups) can attack many victims in a short space of time.\r\n\r\n[caption id=\"attachment_121752\" align=\"aligncenter\" width=\"900\"] Figure 1. Leak site\/name and shame blog statistics, December 2021.[\/caption]\r\n\r\nUsing the leak site information, we can understand the location and types of victims affected by BlackCat attacks. Victims include organizations in the following sectors: construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components and pharmaceuticals. Figure 2 breaks down the victims by country. However, the so-far sporadic spread of the attacks may indicate a somewhat opportunistic approach, as with most contemporary ransomware families.\r\n\r\n[caption id=\"attachment_121754\" align=\"aligncenter\" width=\"900\"] Figure 2. BlackCat leak site victims by country.[\/caption]\r\nTechnical Details\r\nBlackCat is positioned to pivot to individualized, customized attacks due to the numerous options available when coding in Rust (Figure 3). Rust programming has gained momentum due to its fast and high performance, powerful web application development, low overhead for embedded programming, and memory management resolution. Rust also facilitates the BlackCat author due to its efficiency regarding algorithms that power the encryption capability of the ransomware. Because of its efficiency and adaptability, BlackCat has been seen targeting both Windows and Linux systems.\r\n\r\n[caption id=\"attachment_121756\" align=\"aligncenter\" width=\"836\"] Figure 3. BlackCat execution options.[\/caption]\r\n\r\nIn an effort to maintain longevity, the use of the --access-token flag is required to execute the ransomware, which can make it harder to analyze in sandboxed environments.\r\nBlackCat Config\r\nWhile analyzing the ransomware configurations, we observed numerous evasion tactics deployed. These evasion techniques are used in an effort to impair or disable system defenses as well as to stop certain applications that may lock files open on disk, causing problems when trying to encrypt them. BlackCat attempts to kill several processes and services to hinder or prevent security solutions and backups. The process list checked is as follows:\r\n\r\nagntsvc, dbeng50, dbsnmp, encsvc, excel, firefox, infopath, isqlplussvc, msaccess, mspub, mydesktopqos, mydesktopservice, notepad, ocautoupds, ocomm, ocssd, onenote, oracle, outlook, powerpnt, sqbcoreservice, sql, steam, synctime, tbirdconfig, thebat, thunderbird, visio, winword, wordpad, xfssvccon, *sql*, bedbh, vxmon, benetns, bengien, pvlsvr, beserver, raw_agent_svc, vsnapvss, CagService, QBIDPService, QBDBMgrN, QBCFMonitorService, SAP, TeamViewer_Service, TeamViewer, tv_w32, tv_x64, CVMountd, cvd, cvfwd, CVODS, saphostexec, saposcol, sapstartsrv, avagent, avscc, DellSystemDetect, EnterpriseClient, VeeamNFSSvc, VeeamTransportSvc, VeeamDeploymentSvc\r\n\r\nThe services running on the compromised system are checked against the following list:\r\n\r\nmepocs, memtas, veeam, svc$, backup, sql, vss, msexchange, sql$, mysql, mysql$, sophos, MSExchange, MSExchange$, WSBExchange, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, GxBlr, GxVss, GxClMgrS, GxCVD, GxCIMgr, GXMMM, GxVssHWProv, GxFWD, SAPService, SAP, SAP$, SAPD$, SAPHostControl, SAPHostExec, QBCFMonitorService, QBDBMgrN, QBIDPService, AcronisAgent, VeeamNFSSvc, VeeamDeploymentService, VeeamTransportSvc, MVArmor, MVarmor64, VSNAPVSS, AcrSch2Svc\r\n\r\nIn an effort to maintain persistence, the BlackCat ransomware excludes key system and application folders \u2013 as well as key components \u2013 from encryption so as not to render the system and ransomware inoperative. The folders excluded are as follows:\r\n\r\nsystem volume information, intel, $windows.~ws, application data, $recycle.bin, mozilla, $windows.~bt, public, msocache, windows, default, all users, tor browser, programdata, boot, config.msi, google, perflogs, appdata, windows.old\r\n\r\nExcluded file names are as follows:\r\n\r\ndesktop.ini, autorun.inf, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini, ntuser.dat.log\r\n\r\nAny file with an extension matching the following list will also be avoided:\r\n\r\nthemepack, nls, diagpkg, msi, lnk, exe, cab, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs, ldf, theme, mpa, nomedia, spl, cpl, adv, icl, msu\r\n\r\nHardcoded credentials stored within the BlackCat ransomware config lend credence to the likelihood that specific victims are being targeted. The credentials also allow BlackCat to move laterally within the victim\u2019s system and\/or network, often with administrative privileges. Credential access permits the ransomware to deploy additional tools that further propagate the attack. These observations have also been confirmed by Symantec.\r\nAssociated Tools\r\nBlackCat has been observed using multiple \u2013 often legitimate \u2013 tools throughout their attacks, such as Mimikatz, LaZagne and WebBrowserPassView to recover stored passwords, as well as GO Simple Tunnel (GOST) and MEGAsync to exfiltrate data. Additionally, anti-forensics tools like fileshredder, an application to securely delete unwanted files beyond recovery, have also been leveraged during some BlackCat ransomware attacks investigated by Unit 42.\r\nPost-compromise Activities\r\nOnce candidate systems have been identified for encryption by the threat actors, the ransomware deployment occurs and all viable files will be encrypted. This process often involves renaming files to include another or a different file extension, such as wpzlbji, in the example shown in Figure 4. As is commonplace with other ransomware strains, BlackCat ransomware will drop ransom notes on the compromised system(s) to inform the victim of what has happened and how to go about getting their data restored. Text files with the name RECOVER-[RANDOM]-FILES.txt (where [RANDOM] refers to the aforementioned file extension name) will be found on the compromised system containing information and instructions such as those in the example below:\r\n\r\n[caption id=\"attachment_121758\" align=\"aligncenter\" width=\"900\"] Figure 4. An example of a BlackCat ransom note dropped on a compromised system.[\/caption]\r\n\r\nBlackCat utilizes a unique onion domain with a victim-specific access key for the victim to use to learn more about the attack, their data, and what the threat actors want the victim to do next. The following example URL highlights the notation used by BlackCat ransomware:\r\n\r\nhttp:\/\/2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid[.]onion\/?access-key=${ACCESS_KEY}\",\"note_short_text\":\"Important\r\n\r\nOnce the victim navigates to the onion site provided, they will see something similar to Figure 5 below. This site reiterates the problem and that the actor's Decrypt App private key is the only way to get their data back. The portal also provides chat facilities, the ransom amounts \u2013 which can differ depending on when the payment is sent \u2013 how to pay, and a way to test that the decryption works.\r\n\r\n[caption id=\"attachment_121765\" align=\"aligncenter\" width=\"624\"] Figure 5. Example onion site information for BlackCat victims.[\/caption]\r\n\r\nUnit 42 has observed BlackCat affiliates asking for ransom amounts of up to $14 million, though they offered to discount this demand to $9 million if paid before the established time. Interestingly, the ransom demand gives the victim the option to pay not only in Bitcoin (the most common option) but also in Monero.\r\n\r\nIn some cases, BlackCat operators use the chat to threaten the victim, claiming they will perform a DDoS attack on the victims' infrastructure if the ransom is not paid. When it appears in addition to the use of a leak site, this practice is known as triple extortion, a tactic that was observed being used by groups like Avaddon and Suncrypt in the past.\r\n\r\nOne unique feature of BlackCat ransomware is that negotiation chats can only be accessed by those holding an access token key or ransom note \u2013\u00a0the group has made efforts to avoid third-party snooping.\r\nCourses of Action\r\nThis section documents the relevant tactics, techniques and procedures (TTPs) used by BlackCat ransomware and operators, mapping them directly to the Palo Alto Networks product(s) and service(s) protecting against them. It also further instructs customers on how to ensure their devices are appropriately configured.\r\n\r\n\r\n\r\nProduct \/ Service\r\n\r\nCourse of Action\r\n\r\n\r\n\r\n\r\nDiscovery\r\n\r\n\r\n\r\n\r\nThe below courses of action mitigate the following techniques:\r\nProcess Discovery [T1057], File and Directory Discovery [T1083]\r\n\r\n\r\n\r\nCORTEX XDR PREVENT\r\nConfigure Behavioral Threat Protection under the Malware Security Profile\r\n\r\n\r\n\r\nLateral Movement\r\n\r\n\r\n\r\n\r\nThe below courses of action mitigate the following techniques:\r\nLateral Tool Transfer [T1570]\r\n\r\n\r\n\r\nTHREAT PREVENTION\u2020\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'\r\n\r\n\r\nEnsure an anti-spyware profile is configured to block on all spyware severity levels, categories and threats\r\n\r\n\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\n\r\n\r\n\r\nCommand and Control\r\n\r\n\r\n\r\n\r\nThe below courses of action mitigate the following techniques:\r\nMulti-hop Proxy [T1090.003]\r\n\r\n\r\n\r\nTHREAT PREVENTION\u2020\r\nEnsure passive DNS monitoring is set to enabled on all anti-spyware profiles in use\r\n\r\n\r\nEnsure an anti-spyware profile is configured to block on all spyware severity levels, categories and threats\r\n\r\n\r\nEnsure a secure anti-spyware profile is applied to all security policies permitting traffic to the internet\r\n\r\n\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'\r\n\r\n\r\nEnsure DNS sinkholing is configured on all anti-spyware profiles in use\r\n\r\n\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\n\r\n\r\nADVANCED URL FILTERING\u2020\r\nEnsure that URL Filtering uses the action of \u201cblock\u201d or \u201coverride\u201d on the URL categories\r\n\r\n\r\nEnsure secure URL filtering is enabled for all security policies allowing traffic to the internet\r\n\r\n\r\nEnsure that Advanced URL Filtering is used\r\n\r\n\r\nEnsure that access to every URL is logged\r\n\r\n\r\nEnsure all HTTP Header Logging options are enabled\r\n\r\n\r\nCORTEX XSOAR\r\nDeploy XSOAR Playbook - PAN-OS Query Logs for Indicators\r\n\r\n\r\nDeploy XSOAR Playbook - Palo Alto Networks - Hunting And Threat Detection\r\n\r\n\r\nNEXT-GENERATION FIREWALLS\r\nEnsure 'SSL Forward Proxy Policy' for traffic destined to the internet is configured\r\n\r\n\r\nEnsure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS\r\n\r\n\r\nEnsure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone\r\n\r\n\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not exist\r\n\r\n\r\nEnsure 'Security Policy' denying any\/all traffic to\/from IP addresses on Trusted Threat Intelligence Sources exists\r\n\r\n\r\nEnsure that the Certificate used for Decryption is Trusted\r\n\r\n\r\n\r\nExfiltration\r\n\r\n\r\n\r\n\r\nThe below courses of action mitigate the following techniques:\r\nExfiltration to Cloud Storage [T1567.002]\r\n\r\n\r\n\r\nURL FILTERING\u2020\r\nEnsure secure URL filtering is enabled for all security policies allowing traffic to the internet\r\n\r\n\r\nEnsure all HTTP Header Logging options are enabled\r\n\r\n\r\nEnsure that URL Filtering uses the action of \u2018block\u2019 or \u2018override\u2019 on the URL categories\r\n\r\n\r\nEnsure that access to every URL is logged\r\n\r\n\r\nEnsure that Advanced URL Filtering is used\r\n\r\n\r\n\r\nImpact\r\n\r\n\r\n\r\n\r\nThe below courses of action mitigate the following techniques:\r\nData Encrypted for Impact [T1486], Service Stop [T1489], Inhibit System Recovery [T1490]\r\n\r\n\r\n\r\nCORTEX XSOAR\r\nDeploy XSOAR Playbook - Ransomware Manual for incident response.\r\n\r\n\r\nDeploy XSOAR Playbook - Palo Alto Networks Endpoint Malware Investigation\r\n\r\n\r\n\r\nTable 1. Courses of Action for BlackCat ransomware.\r\n\u2020These capabilities are part of the NGFW security subscriptions service\r\n\r\nConclusion\r\nBlackCat is an innovative and sophisticated ransomware family that is rapidly forming a reputation for its highly customized and individualized attacks. By leveraging the Rust programming language, the malware authors are able to easily compile it against various operating system architectures, which facilitates the group\u2019s ability to pivot from one victim to the next. As seen with other ransomware families, BlackCat operates with a RaaS model and utilizes multiple extortion techniques, then publishes a leak site to further pressure victims into paying the ransom.\r\n\r\nPalo Alto Networks detects and prevents BlackCat ransomware in the following ways:\r\n\r\n \tWildFire: All known samples are identified as malware.\r\n \tCortex XDR with:\r\n\r\n \tIndicators for BlackCat.\r\n \tAnti-Ransomware Module to detect BlackCat encryption behaviors on Windows.\r\n \tLocal Analysis detection for BlackCat binaries on Windows.\r\n \tBTP rule prevents Ransomware activity on Linux.\r\n\r\n\r\n \tNext-Generation Firewalls: DNS Signatures detect the known command and control (C2) domains, which are also categorized as malware in URL Filtering.\r\n\r\nIndicators of compromise and BlackCat-associated TTPs can be found in the BlackCat ATOM.\r\n\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, APAC: +65.6983.8730, or Japan: +81.50.1790.0200.\r\n\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nAdditional Resources\r\n\r\n \tNoberus: Technical Analysis Shows Sophistication of New Rust-Based Ransomware\r\n \tHighlights from the 2021 Unit 42 Ransomware Threat Report\r\n\r\nAcknowledgements\r\nWe would like to thank Simon Conant for his help with sample collection, and malware and infrastructure analysis.","publisher":{"@type":"Organization","@id":"#panworg"},"image":{"@type":"ImageObject","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/01\/Unit42-ransomware-21-illustration_yellow.png","width":150,"height":80},"author":[{"@type":"Person","name":"Amanda Tanner"},{"@type":"Person","name":"Alex Hinchliffe"},{"@type":"Person","name":"Doel Santos"}]}</script><link rel='stylesheet' id='crayon-css'  href='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=_2.7.2_beta' type='text/css' media='all' />
<link rel='stylesheet' id='wp-block-library-css'  href='https://unit42.paloaltonetworks.com/wp-includes/css/dist/block-library/style.min.css?ver=5.9.2' type='text/css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
</style>
<link rel='stylesheet' id='dashicons-css'  href='https://unit42.paloaltonetworks.com/wp-includes/css/dashicons.min.css?ver=5.9.2' type='text/css' media='all' />
<link rel='stylesheet' id='post-views-counter-frontend-css'  href='https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/css/frontend.css?ver=1.3.11' type='text/css' media='all' />
<link rel='stylesheet' id='ppress-frontend-css'  href='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/css/frontend.min.css?ver=3.2.9' type='text/css' media='all' />
<link rel='stylesheet' id='ppress-flatpickr-css'  href='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/flatpickr/flatpickr.min.css?ver=3.2.9' type='text/css' media='all' />
<link rel='stylesheet' id='ppress-select2-css'  href='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/select2/select2.min.css?ver=5.9.2' type='text/css' media='all' />
<link rel='stylesheet' id='wpml-legacy-horizontal-list-0-css'  href='//unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-list-horizontal/style.min.css?ver=1' type='text/css' media='all' />
<link rel='stylesheet' id='wpml-legacy-post-translations-0-css'  href='//unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-post-translations/style.min.css?ver=1' type='text/css' media='all' />
<link rel='stylesheet' id='wordpress-popular-posts-css-css'  href='https://unit42.paloaltonetworks.com/wp-content/plugins/wordpress-popular-posts/assets/css/wpp.css?ver=5.5.1' type='text/css' media='all' />
<link rel='stylesheet' id='unit42/css-css'  href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/styles/main.css?v2' type='text/css' media='all' />
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.0' id='jquery-core-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
<script type='text/javascript' id='crayon_js-js-extra'>
/* <![CDATA[ */
var CrayonSyntaxSettings = {"version":"_2.7.2_beta","is_admin":"0","ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""};
var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js?ver=_2.7.2_beta' id='crayon_js-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/flatpickr/flatpickr.min.js?ver=5.9.2' id='ppress-flatpickr-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/select2/select2.min.js?ver=5.9.2' id='ppress-select2-js'></script>
<script type='application/json' id='wpp-json'>
{"sampling_active":0,"sampling_rate":100,"ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-json\/wordpress-popular-posts\/v1\/popular-posts","api_url":"https:\/\/unit42.paloaltonetworks.com\/wp-json\/wordpress-popular-posts","ID":121749,"token":"ec3c68e8b4","lang":0,"debug":0}
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wordpress-popular-posts/assets/js/wpp.min.js?ver=5.5.1' id='wpp-js-js'></script>
<script type='text/javascript' id='wpml-xdomain-data-js-extra'>
/* <![CDATA[ */
var wpml_xdomain_data = {"css_selector":"wpml-ls-item","ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","current_lang":"en"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/res/js/xdomain-data.js?ver=4.5.5' id='wpml-xdomain-data-js'></script>
<link rel="https://api.w.org/" href="https://unit42.paloaltonetworks.com/wp-json/" /><link rel="alternate" type="application/json" href="https://unit42.paloaltonetworks.com/wp-json/wp/v2/posts/121749" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://unit42.paloaltonetworks.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://unit42.paloaltonetworks.com/wp-includes/wlwmanifest.xml" /> 
<meta name="generator" content="WordPress 5.9.2" />
<link rel='shortlink' href='https://unit42.paloaltonetworks.com/?p=121749' />
<link rel="alternate" type="application/json+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fblackcat-ransomware%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fblackcat-ransomware%2F&#038;format=xml" />
<meta name="generator" content="WPML ver:4.5.5 stt:1,28;" />
<meta name="google-site-verification" content="zHZtYOWm9hm4SZgsH7wqiYcOwmsAsxDUDU4UD1QxB40" /><style>#wpdevart_lb_overlay{background-color:#000000;} #wpdevart_lb_overlay.wpdevart_opacity{opacity:0.8 !important;} #wpdevart_lb_main_desc{
				 -webkit-transition: opacity 0.3s ease;
				 -moz-transition: opacity 0.3s ease;
				 -o-transition: opacity 0.3s ease;
				 transition: opacity 0.3s ease;} #wpdevart_lb_information_content{
				 -webkit-transition: opacity 0.3s ease;
				 -moz-transition: opacity 0.3s ease;
				 -o-transition: opacity 0.3s ease;
				 transition: opacity 0.3s ease;}
		#wpdevart_lb_information_content{
			width:100%;	
			padding-top:0px;
			padding-bottom:0px;
		}
		#wpdevart_info_counter_of_imgs{
			    display: inline-block;
				padding-left:15px;
				padding-right:4px;
				font-size:20px;
				color:#000000;
		}
		#wpdevart_info_caption{
			    display: inline-block;
				padding-left:15px;
				padding-right:4px;
				font-size:20px;
				color:#000000;
		}
		#wpdevart_info_title{
			    display: inline-block;
				padding-left:5px;
				padding-right:5px;
				font-size:15px;
				color:#000000;
		}
		@-webkit-keyframes rotate {
			to   {-webkit-transform: rotate(360deg);}
			from  {-webkit-transform: rotate(0deg);}
		}
		@keyframes rotate {
			to   {transform: rotate(360deg);}
			from  {transform: rotate(0deg);}
		}
		#wpdevart_lb_loading_img,#wpdevart_lb_loading_img_first{
			-webkit-animation: rotate 2s linear  infinite;
    		animation: rotate 2s linear infinite;
		}
	  </style>                  <style id="wpp-loading-animation-styles">@-webkit-keyframes bgslide{from{background-position-x:0}to{background-position-x:-200%}}@keyframes bgslide{from{background-position-x:0}to{background-position-x:-200%}}.wpp-widget-placeholder,.wpp-widget-block-placeholder{margin:0 auto;width:60px;height:3px;background:#dd3737;background:linear-gradient(90deg,#dd3737 0%,#571313 10%,#dd3737 100%);background-size:200% auto;border-radius:3px;-webkit-animation:bgslide 1s infinite linear;animation:bgslide 1s infinite linear}</style>
            
		<style>
			#wp-admin-bar-pvc-post-views .pvc-graph-container { padding-top: 6px; padding-bottom: 6px; position: relative; display: block; height: 100%; box-sizing: border-box; }
			#wp-admin-bar-pvc-post-views .pvc-line-graph {
				display: inline-block;
				width: 1px;
				margin-right: 1px;
				background-color: #ccc;
				vertical-align: baseline;
			}
			#wp-admin-bar-pvc-post-views .pvc-line-graph:hover { background-color: #eee; }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-0 { height: 1% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-1 { height: 5% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-2 { height: 10% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-3 { height: 15% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-4 { height: 20% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-5 { height: 25% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-6 { height: 30% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-7 { height: 35% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-8 { height: 40% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-9 { height: 45% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-10 { height: 50% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-11 { height: 55% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-12 { height: 60% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-13 { height: 65% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-14 { height: 70% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-15 { height: 75% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-16 { height: 80% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-17 { height: 85% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-18 { height: 90% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-19 { height: 95% }
			#wp-admin-bar-pvc-post-views .pvc-line-graph-20 { height: 100% }
		</style>  <script>var $ = jQuery;</script>
  
  
<script type="text/javascript">
;(function(win, doc, style, timeout) {
var STYLE_ID = 'at-body-style';
function getParent() {
return doc.getElementsByTagName('head')[0];
}
function addStyle(parent, id, def) {
if (!parent) {
return;
}
var style = doc.createElement('style');
style.id = id;
style.innerHTML = def;
parent.appendChild(style);
}
function removeStyle(parent, id) {
if (!parent) {
return;
}
var style = doc.getElementById(id);
if (!style) {
return;
}
parent.removeChild(style);
}
addStyle(getParent(), STYLE_ID, style);
setTimeout(function() {
removeStyle(getParent(), STYLE_ID);
}, timeout);
}(window, document, "body {visibility:hidden !important}", 3000));
</script>

<script src="//assets.adobedtm.com/9273d4aedcd2/0d76ae0322d7/launch-425c423d843b.min.js" async></script>
<script type="text/javascript" src="https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/attribution.js"></script>
  

<script type="text/javascript">
    var isIE11 = !!navigator.userAgent.match(/Trident.*rv\:11\./);
if(isIE11){
    var polyfill = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/scripts/polyfill.min.js';
    document.write('<script type="text/javascript" src="'+polyfill+'">\x3C/script>');

}
    /**
 * String.prototype.replaceAll() polyfill
 * https://gomakethings.com/how-to-replace-a-section-of-a-string-with-another-one-with-vanilla-js/
 * @author Chris Ferdinandi
 * @license MIT
 */
if (!String.prototype.replaceAll) {
	String.prototype.replaceAll = function(str, newStr){

		// If a regex pattern
		if (Object.prototype.toString.call(str).toLowerCase() === '[object regexp]') {
			return this.replace(str, newStr);
		}

		// If a string
		return this.replace(new RegExp(str, 'g'), newStr);

	};
}


    /*! lozad.js - v1.16.0 - 2020-09-06 */
!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):t.lozad=e()}(this,function(){"use strict";
/**
   * Detect IE browser
   * @const {boolean}
   * @private
   */var g="undefined"!=typeof document&&document.documentMode,f={rootMargin:"0px",threshold:0,load:function(t){if("picture"===t.nodeName.toLowerCase()){var e=t.querySelector("img"),r=!1;null===e&&(e=document.createElement("img"),r=!0),g&&t.getAttribute("data-iesrc")&&(e.src=t.getAttribute("data-iesrc")),t.getAttribute("data-alt")&&(e.alt=t.getAttribute("data-alt")),r&&t.append(e)}if("video"===t.nodeName.toLowerCase()&&!t.getAttribute("data-src")&&t.children){for(var a=t.children,o=void 0,i=0;i<=a.length-1;i++)(o=a[i].getAttribute("data-src"))&&(a[i].src=o);t.load()}t.getAttribute("data-poster")&&(t.poster=t.getAttribute("data-poster")),t.getAttribute("data-src")&&(t.src=t.getAttribute("data-src")),t.getAttribute("data-srcset")&&t.setAttribute("srcset",t.getAttribute("data-srcset"));var n=",";if(t.getAttribute("data-background-delimiter")&&(n=t.getAttribute("data-background-delimiter")),t.getAttribute("data-background-image"))t.style.backgroundImage="url('"+t.getAttribute("data-background-image").split(n).join("'),url('")+"')";else if(t.getAttribute("data-background-image-set")){var d=t.getAttribute("data-background-image-set").split(n),u=d[0].substr(0,d[0].indexOf(" "))||d[0];// Substring before ... 1x
u=-1===u.indexOf("url(")?"url("+u+")":u,1===d.length?t.style.backgroundImage=u:t.setAttribute("style",(t.getAttribute("style")||"")+"background-image: "+u+"; background-image: -webkit-image-set("+d+"); background-image: image-set("+d+")")}t.getAttribute("data-toggle-class")&&t.classList.toggle(t.getAttribute("data-toggle-class"))},loaded:function(){}};function A(t){t.setAttribute("data-loaded",!0)}var m=function(t){return"true"===t.getAttribute("data-loaded")},v=function(t){var e=1<arguments.length&&void 0!==arguments[1]?arguments[1]:document;return t instanceof Element?[t]:t instanceof NodeList?t:e.querySelectorAll(t)};return function(){var r,a,o=0<arguments.length&&void 0!==arguments[0]?arguments[0]:".lozad",t=1<arguments.length&&void 0!==arguments[1]?arguments[1]:{},e=Object.assign({},f,t),i=e.root,n=e.rootMargin,d=e.threshold,u=e.load,g=e.loaded,s=void 0;"undefined"!=typeof window&&window.IntersectionObserver&&(s=new IntersectionObserver((r=u,a=g,function(t,e){t.forEach(function(t){(0<t.intersectionRatio||t.isIntersecting)&&(e.unobserve(t.target),m(t.target)||(r(t.target),A(t.target),a(t.target)))})}),{root:i,rootMargin:n,threshold:d}));for(var c,l=v(o,i),b=0;b<l.length;b++)(c=l[b]).getAttribute("data-placeholder-background")&&(c.style.background=c.getAttribute("data-placeholder-background"));return{observe:function(){for(var t=v(o,i),e=0;e<t.length;e++)m(t[e])||(s?s.observe(t[e]):(u(t[e]),A(t[e]),g(t[e])))},triggerLoad:function(t){m(t)||(u(t),A(t),g(t))},observer:s}}});

</script>
<script type="text/javascript">
  
var webData =

{ 

   channel : "unit42", //Place the site section the user is in

   property : "unit42.paloaltonetworks.com", //Place domain or sub-domain

   pageType : "blogs",

   language : "en_us",

   pageName : "unit42:Threat Assessment: BlackCat Ransomware", //Place the page name the user is viewing - every page needs a unique page name

   pageURL : "https://unit42.paloaltonetworks.com/blackcat-ransomware/" //Place the url the user is viewing with no parameters

}
if(sessionStorage.getItem("container") && webData){
	webData.container=sessionStorage.getItem("container");
}

</script>
</head>
  <body class="post-template-default single single-post postid-121749 single-format-standard">
    <!--[if IE]>
      <div class="alert alert-warning">
        You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your experience.      </div>
    <![endif]-->
    <style type="text/css">
	.pan-page-alert {
		height: 60px;
	    width: 100%;
	    background-color: #f4f4f2;
	    text-align: center;
	    position: relative;
	    top: 0;
	    left: 0;
	    right: 0;
	    line-height: 20px;
	    display: flex;
	    align-items: center;
	    justify-content: space-between;
	    z-index: 999;
	    padding: 0;
	    display: none;
	}
	.pan-page-alert.open {
		display: flex;
		z-index: 1;
	}
	.pan-page-alert .pan-page-alert-text {
		flex-grow: 1;
	    color: #141414;
	    font-family: Decimal,Arial,"Helvetica Neue",Helvetica,sans-serif;
	    font-style: normal;
	    font-weight: 600;
	    line-height: 20px;
	}
	.pan-page-alert .pan-page-alert-text a {
		color: #C84727;
		text-decoration: none;
		border-bottom: 2px solid #C84727;
	}
	.pan-page-alert .pan-page-alert-close {
		margin: 0 15px;
		width: 24px;
		height: 24px;
		border-radius: 24px;
		background-size: contain;
		background-repeat: no-repeat;
		background-position: center;
		background-image: url(/etc/clientlibs/clean/imgs/x-black.svg);
		border: 0;
		background-color: transparent;
	}
	
	@media(max-width: 1199.98px){
		.panClean .pan-page-alert .pan-page-alert-text {
			text-align: left;
			padding-left: calc(7.14285714vw + 15px);
		}
		.pan-page-alert .pan-page-alert-text {
	    	font-size: 14px;
	    }
	}
	@media(min-width: 1200px){
		.pan-page-alert .pan-page-alert-text {
	    	font-size: 16px;
	    }
	}
</style>

	<div class="pan-page-alert pan-page-alert-light" id="info-alert-top1">
                <div class="pan-page-alert-text"><a href="https://www.paloaltonetworks.com/russia-ukraine-cyber-resources" target="_blank"  style="color:#c84727;border-color:#c84727;"  data-page-track="true" data-page-track-value="russiaukrainerapidresponse:unit42site:topnav:ticker">Protect Against Russia-Ukraine Cyber Activity</a></div>
		<button type="button" class="pan-page-alert-close" aria-label="page alert close">
            <svg width="12" height="12" viewBox="0 0 12 12" fill="none" xmlns="http://www.w3.org/2000/svg">
              <path d="M1 1L6 6M6 6L11 1M6 6L1 11M6 6L11 11" stroke="#727272" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
            </svg>
          </button>
    </div>
    <script type="text/javascript">
        
        //Hide/Show top ribbon
          if(localStorage.getItem('top_ribbon_closed') == null){
            document.getElementById('info-alert-top1').classList.add("open");            
          }
          
          $(".pan-page-alert-close").click(function(){
            $("#nav-mobile").css("top", "72px");
          });
          
        $(".pan-page-alert-close").click(function(){
        		$( "#nav-mobile" ).addClass( "add-nav-height" );
  		});
  
          $(document).on('click', '.pan-page-alert .pan-page-alert-close', function (ev) {            
		document.getElementById('info-alert-top1').classList.remove("open");            
		localStorage.setItem('top_ribbon_closed', "yes");
	});
          
    </script>
<header class="haeder py-15 position-relative z-index-2" style="display: none;">
  <div class="container px-sm-30 px-35">
    <div class="row">
      <div class="first-logo col-sm-auto col-6 mb-sm-0 mb-40 text-sm-center order-1">
                  <a href="https://www.paloaltonetworks.com/">
<!--<img src="/wp-content/uploads/2019/07/paloaltonetwork.svg" class="attachment-full size-full" alt="" height="43" width="124" />-->
<img src="/wp-content/uploads/2021/07/PANW_Parent.png" width="140px" alt="Logo" />

</a>

      </div>

      <div class="col-sm-auto col-6 text-sm-center order-sm-2 order-4 second-logo-unit">
        <a href="https://unit42.paloaltonetworks.com/">
            <!--<img src="/wp-content/uploads/2019/07/unit42.svg" class="attachment-full size-full" alt="" height="35" width="105" />-->
            <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/images/svg/unit42-logo-white.svg" class="attachment-full size-full" alt="Unit42 Logo"  width="150" height="35"/>
        </a>
      </div>

      <div class="col-auto d-sm-none ml-auto mb-40 order-2">
        <button class="btn__search" data-toggle="collapse" data-target="#search"><i class="ui ui-1"></i></button>
      </div>

      <div id="search" class="collapse d-sm-block col-sm-auto col-12 ml-auto order-3">
        <div class="pt-sm-0 pt-20 pb-sm-0 pb-40 mt-sm-0 mt-n30">
                      <input type="search" placeholder="Search Unit 42" id="innerSearch" class="header__search" value="" required>
                  </div>
      </div>

      <div class="col-auto d-sm-none d-flex ml-auto align-items-center order-5">
        <button class="btn__menu rounded" data-toggle="collapse" data-target="#navigation">Menu</button>
      </div>
    </div>
  </div>
</header>

<nav id="navigation" class="site-nav collapse d-sm-block pb-20 mt-sm-10"  style="display: none!important;">
  <div class="container px-sm-30">
    <ul id="menu-primary-navigation" class="main-menu d-sm-flex font-weight-medium"><li id="menu-item-97290" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-97290"><a href="https://unit42.paloaltonetworks.com/tools/">Tools</a></li>
<li id="menu-item-41" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-41"><a href="https://unit42.paloaltonetworks.com/atoms/">ATOMs</a></li>
<li id="menu-item-119884" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-119884"><a target="_blank" rel="noopener" href="https://www.paloaltonetworks.com/unit42">Security Consulting</a></li>
<li id="menu-item-81229" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-81229"><a href="https://unit42.paloaltonetworks.com/about-unit-42/">About Us</a></li>
<li id="menu-item-121229" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-121229"><a href="https://start.paloaltonetworks.com/contact-unit42.html"><b style="color:#C84727">Under Attack?</b></a></li>
</ul>  </div>
</nav>
<div class="panClean pan-template-home" id="main-nav-menu-cont" style="display:none;">
    <div class="cleanHeader mainNavigationComp baseComponent parbase">
        <div class="productNav2021Component dark" id="PAN_2021_NAV_ASYNC"></div>

  </div>
<div class="cleanTopHtml htmlComp baseComponent parbase"><div class="base-component-spacer spacer-none  "></div>
</div>


</div>
<script type="text/javascript">
	function getCookie(cname) {
	 	var name = cname + "=";
  		var decodedCookie = decodeURIComponent(document.cookie);
		var ca = decodedCookie.split(';');
  		for(var i = 0; i <ca.length; i++) {
    			var c = ca[i];
    			while (c.charAt(0) == ' ') {
     				 c = c.substring(1);
    			}
    			if (c.indexOf(name) == 0) {
    				 return c.substring(name.length, c.length);
    			}
  		}
  		return "";
	}

	var referer = "";//sessionStorage.container;
	var pcontainer = sessionStorage.getItem("container");
	var searchResultsPagePath = "";
	if(((pcontainer) && pcontainer.indexOf('Prisma')!=-1)){
	    referer = 'Prisma' ;
	}
        else if(((pcontainer) && pcontainer.indexOf('Cortex')!=-1)){
	    referer = 'Cortex' ;
	}
        else if(((pcontainer) && pcontainer.indexOf('Sase')!=-1)){
	    referer = 'Sase' ;
	}
        var fromRef = document.referrer;
	var nContainer = getCookie("navContainer");
        if(nContainer){//If user is coming from main site, we need to reset the container		
		if(fromRef  && fromRef.indexOf("prismacloud.io")!=-1){
                        referer = 'Prisma' ;
                        sessionStorage.setItem("container","Prisma");
                } else if(fromRef.indexOf("paloaltonetworks.com")!=-1 || fromRef.indexOf("paloaltonetworks.jp")!=-1 ){
                        if(nContainer.indexOf('Prisma') != -1){
                            referer = 'Prisma' ;
                            sessionStorage.setItem("container","Prisma");
                        }
                        if(nContainer.indexOf('Cortex') != -1){
                            referer = 'Cortex' ;
                            sessionStorage.setItem("container","Cortex");
                        }
			if(nContainer.indexOf('Sase') != -1){
                            referer = 'Sase' ;
                            sessionStorage.setItem("container","Sase");
                        }
			document.cookie = 'navContainer=; path=/; domain=.paloaltonetworks.com; expires=' + new Date(0).toUTCString();
		}
	}
    //var referer = "Prisma";//sessionStorage.container;
        console.log("referer"+referer);
        if(referer != "Prisma" && referer != "Cortex" && referer != "Sase"){
              document.getElementById('navigation').removeAttribute("style");
              document.getElementsByTagName("header")[0].removeAttribute("style");
        }
function callMainSitePrismaNavHTML(){
    
   //var menu_url = 'https://www.paloaltonetworks.com/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html';
   var referrer_domain = 'https://www.paloaltonetworks.com';
   sessionStorage.setItem("domain",referrer_domain);
   if(referer == 'Prisma'){
        var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html';
		searchResultsPagePath = referrer_domain+"/search/prismasearch";
	    }
    if(referer == 'Cortex'){
        var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderCortex.cortexRenderer.html';	
	searchResultsPagePath = referrer_domain+"/search/cortexsearch";	
    }
    if(referer == 'Sase'){
        var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderSase.saseRenderer.html';
	searchResultsPagePath = referrer_domain+"/search/sasesearch";
    }
    httpGet(menu_url,'menu_html');
    document.getElementById('main-nav-menu-cont').removeAttribute("style");
}
function addStyle(styles) {
              
    /* Create style document */
    var css = document.createElement('style');
    css.type = 'text/css';

    if (css.styleSheet) 
        css.styleSheet.cssText = styles;
    else 
        css.appendChild(document.createTextNode(styles));

    /* Append style to the tag name */
    document.getElementsByTagName("head")[0].appendChild(css);
}
    function httpGet(theUrl,req_type)
    {
        if (window.XMLHttpRequest)
        {// code for IE7+, Firefox, Chrome, Opera, Safari
            xmlhttp=new XMLHttpRequest();
        }
        else
        {// code for IE6, IE5
            xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
        }
        xmlhttp.onreadystatechange=function()
        {
            if (xmlhttp.readyState==4 && xmlhttp.status==200)
            {
                //console.log();
                //return xmlhttp.responseText;
                
                if(req_type == 'menu_html'){
		    var nav_text = xmlhttp.responseText.replaceAll('https://static.cloud.coveo.com/searchui/v2.9159/js/CoveoJsSearch.Lazy.min.js', '');

                    nav_text = nav_text.replaceAll('src="/', 'src="'+maindomain_lang+'/');
		                        
                    document.getElementById("PAN_2021_NAV_ASYNC").innerHTML = nav_text.replaceAll('href="/', 'href="'+maindomain_lang+'/');
		    
		    var lozad_back = document.getElementsByClassName('lozad-background');
		    Array.prototype.forEach.call(lozad_back, function(el) {
			// Do stuff here
			var el_back_img_path = el.getAttribute('data-background-image');
			var first_pos = el_back_img_path.indexOf("'");
			var last_pos = el_back_img_path.indexOf("'",first_pos+1);
			el_back_img_path = el_back_img_path.substring(first_pos+1,last_pos);
			el.setAttribute("data-background-image",main_site_url+el_back_img_path);
		    });
                }
                if(req_type == 'head_inline_css'){
                    addStyle(xmlhttp.responseText);
                }
                //document.getElementsByTagName("header")[1].removeAttribute("style");
                //document.getElementsByTagName("header")[1].classList.add("light");
            }
        }
        xmlhttp.open("GET", theUrl, false );
        xmlhttp.send();    
    }    
    
    if(referer == 'Prisma' || referer == 'Cortex' || referer == 'Sase'){        
        const article = document.querySelector('#PAN_2021_NAV_ASYNC');
        if(referer == 'Prisma'){
            article.dataset.type = 'prisma';
        }
        else if(referer == 'Cortex'){
            article.dataset.type = 'cortex';
        }
        else if(referer == 'Sase'){
            article.dataset.type = 'sase';
        }
        callMainSitePrismaNavHTML();        
    }
</script>


  <article class="article overflow-hidden">
    
<header class="article__header py-sm-25 pt-40 pb-25 bg-gray-700">
  <div class="container">
    
    <h1 class="article__header__title mb-sm-30 mb-40">Threat Assessment: BlackCat Ransomware</h1>

    <ul class="article__entry-meta d-flex flex-wrap align-items-center text-black">
      <li class="mr-10 mb-10 px-20 rounded-pill d-flex bg-gray-200"><div class="post-views post-121749 entry-meta">
				
				
				<span class="post-views-count">42,863</span>
			</div> <span class="ml-5">people reacted</span></li>
      <li class="d-sm-none col-12 p-0"></li>
      <li class="mr-10 mb-10 px-20 rounded-pill bg-gray-200"><span class="ldc-ul_cont idc_ul_cont_not_liked_inner" onclick="alter_ul_post_values(this,'121749','like')"><i class="ui ui-2"></i><span class="ml-5">20</span></span></li>
      <li class="mb-10 px-20 rounded-pill bg-gray-200"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 10</span> <span class="rt-label rt-postfix"></span></span> min. read</li>
    </ul>

    <div class="article__share position-relative">
      <div class="dropdown dropdown-right">
        <button type="button" class="px-25 text-black bg-white text-uppercase rounded-pill" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Share <i class="ui ui-6 ml-10 align-text-top"></i>
        </button>
        <div class="dropdown-menu rounded-pill" role="toolbar">
          <div class="share-dropdown px-20 py-10 text-black font-size-sm">
            <div class="row align-items-center flex-nowrap">
              <div class="col">
                <div class="d-flex align-items-center">
                  <a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Funit42.paloaltonetworks.com%2Fblackcat-ransomware%2F" target="_blank"><i class="ui ui-7"></i></a>
                  <a href="https://twitter.com/home?status=https%3A%2F%2Funit42.paloaltonetworks.com%2Fblackcat-ransomware%2F+-+Threat+Assessment%3A+BlackCat+Ransomware" target="_blank"><i class="ui ui-8"></i></a>
                  <a href="https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fblackcat-ransomware%2F&title=Threat+Assessment%3A+BlackCat+Ransomware&summary=&source=" target="_blank"><i class="ui ui-9"></i></a>
                  <a href="//www.reddit.com/submit?url=https://unit42.paloaltonetworks.com/blackcat-ransomware/" target="_blank"><i class="ui ui-10"></i></a>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
    </div>
  </div>
</header>    <div class="article__summary py-25 text-gray-500 font-size-sm">
  <div class="container">
    <div class="row align-items-center no-gutters">
      <div class="col-sm-auto col-12 mb-sm-0 mb-35">
        <i class="ui ui-11 text-gray-700 mr-sm-20"></i>
      </div>
  
      <div class="col-sm col-12">
        <p>
          By <a href="https://unit42.paloaltonetworks.com/author/amanda-tanner/" title="Posts by Amanda Tanner" class="author url fn" rel="author">Amanda Tanner</a>, <a href="https://unit42.paloaltonetworks.com/author/alex-hinchliffe/" title="Posts by Alex Hinchliffe" class="author url fn" rel="author">Alex Hinchliffe</a> and <a href="https://unit42.paloaltonetworks.com/author/doel-santos/" title="Posts by Doel Santos" class="author url fn" rel="author">Doel Santos</a>        </p>
        <p><time datetime="2022-01-27T14:00:27+00:00">January 27, 2022 at 6:00 AM</time></p>
        <p>Category: <a href="https://unit42.paloaltonetworks.com/category/malware-2/" rel="category tag">Malware</a>, <a href="https://unit42.paloaltonetworks.com/category/ransomware/" rel="category tag">Ransomware</a></p>
        <p>Tags: <a href="https://unit42.paloaltonetworks.com/tag/alphv/" rel="tag">ALPHV</a>, <a href="https://unit42.paloaltonetworks.com/tag/blackcat-ransomware/" rel="tag">BlackCat ransomware</a>, <a href="https://unit42.paloaltonetworks.com/tag/conti-ransomware/" rel="tag">conti ransomware</a>, <a href="https://unit42.paloaltonetworks.com/tag/cybercrime/" rel="tag">Cybercrime</a>, <a href="https://unit42.paloaltonetworks.com/tag/ddos/" rel="tag">DDoS</a>, <a href="https://unit42.paloaltonetworks.com/tag/hive/" rel="tag">Hive</a>, <a href="https://unit42.paloaltonetworks.com/tag/lockbit-2-0/" rel="tag">LockBit 2.0</a>, <a href="https://unit42.paloaltonetworks.com/tag/threat-assessment/" rel="tag">threat assessment</a></p>
      </div>
    </div>
  </div>
</div>    <div class="py-30 bg-white">
      <div class="container">
        <div class="article__content pb-30">
                      <figure class="mb-30 text-center">
              <img width="900" height="482" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/Unit42-ransomware-21-illustration_yellow.png" class="attachment-single size-single" alt="A conceptual image representing ransomware, such as the BlackCat ransomware discussed here." loading="lazy" />            </figure>
                    <p class="wpml-ls-statics-post_translations wpml-ls">This post is also available in: 
    <span class="wpml-ls-slot-post_translations wpml-ls-item wpml-ls-item-ja wpml-ls-first-item wpml-ls-last-item wpml-ls-item-legacy-post-translations"><a href="https://unit42.paloaltonetworks.jp/blackcat-ransomware/" class="wpml-ls-link"><span class="wpml-ls-native" lang="ja">日本語</span><span class="wpml-ls-display"><span class="wpml-ls-bracket"> (</span>Japanese<span class="wpml-ls-bracket">)</span></span></a></span></p><h2><a id="post-121749-_n41yi9jwwr88"></a>Executive Summary</h2>
<p>BlackCat (aka ALPHV) is a ransomware family that surfaced in mid-November 2021 and quickly gained notoriety for its sophistication and innovation. Operating a ransomware-as-a-service (RaaS) business model, BlackCat was observed soliciting for affiliates in known cybercrime forums, offering to allow affiliates to leverage the ransomware and keep 80-90% of the ransom payment. The remainder would be paid to the BlackCat author.</p>
<p>BlackCat has taken an aggressive approach to naming and shaming victims, listing more than a dozen on their leak site in a little over a month. The largest number of the group’s victims so far are U.S. organizations, but BlackCat and its affiliates have also attacked organizations in Europe, the Philippines and other locations. Victims include organizations in the following sectors: construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components and pharmaceuticals.</p>
<p>Use of BlackCat ransomware has grown quickly for a variety of reasons (for comparison, <a href="https://unit42.paloaltonetworks.com/emerging-ransomware-groups/">AvosLocker</a> had only listed a handful of victims publicly within two months of becoming known). Effective marketing to affiliates is a likely factor – in addition to offering an enticing share of ransom payments, the group has solicited affiliates by posting ads on forums such as Ransomware Anonymous Market Place (RAMP).</p>
<p>The malware itself is coded in the Rust programming language. Though this is not the first piece of malware to use Rust, it is one of the first, if not the first, piece of ransomware to use it. By leveraging this programming language, the malware authors are able to easily compile it against various operating system architectures. Given its numerous native options, Rust is highly customizable, which facilitates the ability to pivot and individualize attacks.</p>
<p>The threat actors leveraging BlackCat, often referred to as the "BlackCat gang,” utilize numerous tactics that are becoming increasingly commonplace in the ransomware space. Notably, they use multiple extortion techniques in some cases, including the siphoning of victim data before ransomware deployment, threats to release data if the ransom is not paid and distributed denial-of-service (DDoS) attacks.</p>
<p>Palo Alto Networks detects and prevents BlackCat ransomware with the following products and services: <a href="https://www.paloaltonetworks.com/cortex/cortex-xdr">Cortex XDR</a> and <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall">Next-Generation Firewalls</a> (including cloud-delivered security subscriptions such as <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall">WildFire)</a>.</p>
<p>Due to the surge of this malicious activity, we’ve created this threat assessment for overall awareness. Full visualization of the techniques observed, relevant courses of action and IOCs can be viewed in the <a href="https://unit42.paloaltonetworks.com/atoms/blackcat-ransomware/">Unit 42 ATOM viewer</a>.</p>
<table style="width: 99.1905%;">
<tbody>
<tr>
<td style="width: 42.8309%;"><span style="font-weight: 400;">Types of Attacks Covered</span></td>
<td style="width: 212.5%;"><a href="https://unit42.paloaltonetworks.com/category/ransomware/"><span style="font-weight: 400;">Ransomware</span></a><span style="font-weight: 400;">, </span><a href="https://unit42.paloaltonetworks.com/tag/ddos/"><span style="font-weight: 400;">DDoS</span></a></td>
</tr>
<tr>
<td style="width: 42.8309%;"><span style="font-weight: 400;">Ransomware Families Discussed</span></td>
<td style="width: 212.5%;"><a href="https://unit42.paloaltonetworks.com/tag/blackcat-ransomware/"><span style="font-weight: 400;">BlackCat</span></a><span style="font-weight: 400;"> </span></td>
</tr>
<tr>
<td style="width: 42.8309%;"><span style="font-weight: 400;">Related Unit 42 Topics</span></td>
<td style="width: 212.5%;"><a href="https://unit42.paloaltonetworks.com/tag/cyber-crime/"><span style="font-weight: 400;">Cybercrime</span></a><span style="font-weight: 400;">, </span><a href="https://unit42.paloaltonetworks.com/tag/conti-ransomware/"><span style="font-weight: 400;">Conti</span></a><span style="font-weight: 400;">, </span><a href="https://unit42.paloaltonetworks.com/tag/lockbit-2-0/"><span style="font-weight: 400;">LockBit 2.0</span></a><span style="font-weight: 400;">, </span><a href="https://unit42.paloaltonetworks.com/tag/hive/"><span style="font-weight: 400;">Hive</span></a><span style="font-weight: 400;">, </span><a href="https://unit42.paloaltonetworks.com/tag/avos/"><span style="font-weight: 400;">Avos</span></a></td>
</tr>
</tbody>
</table>
<h2><a id="post-121749-_ityilpf6fsuw"></a>Table of Contents</h2>
<p><a href="#BlackCat-Ransomware-Overview">BlackCat Ransomware Overview</a><br />
<a href="#Technical-Details">Technical Details</a><br />
• <a href="#BlackCat-Config">BlackCat Config</a><br />
• <a href="#Associated-Tools">Associated Tools</a><br />
<a href="#Post-compromise-Activities">Post-compromise Activities</a><br />
<a href="#Courses-of-Action">Courses of Action</a><br />
<a href="#Conclusion">Conclusion</a><br />
<a href="#Additional-Resources">Additional Resources</a><br />
<a href="#Acknowledgments">Acknowledgments</a></p>
<h2><a id="BlackCat-Ransomware-Overview"></a>BlackCat Ransomware Overview</h2>
<p>Soliciting via known cybercrime forums, BlackCat is seeking affiliates to deploy its ransomware. Affiliates keep an 80-90% share of the ransom payment, with the remainder going to the BlackCat author. These affiliates are interviewed and vetted before being accepted into the RaaS group. Once the affiliate is confirmed, they are given unique access to a Tor-based control panel that hosts the affiliate’s access.</p>
<p>Written in the Russian language, the control panel gives the affiliate updates and announcements about deploying and operating the ransomware as well as troubleshooting tips to help the affiliate be more successful in their campaigns. Along with the control panel, a name and shame blog is also hosted, targeting victims who have either ignored or refused to pay the ransom. This site has been regularly updated with new victims since the initial discovery of the group.</p>
<p>As shown in Figure 1 below, many RaaS operators use the double-extortion technique of exfiltrating data prior to encryption, which provides them greater leverage in negotiating ransom funds. As of December 2021, BlackCat has the seventh largest number of victims listed on their leak site among ransomware groups tracked by Unit 42 – impressive considering that this group has only been publicly known since November 2021. While Conti (ranked second) has been around in various guises for almost two years, it is surrounded at the top of the chart by <a href="https://unit42.paloaltonetworks.com/emerging-ransomware-groups/">emerging families</a>. LockBit 2.0 and Hive both have at least six months’ head start on BlackCat, but this highlights a worrying trend that newcomers (or reformed groups) can attack many victims in a short space of time.</p>
<figure id="attachment_121752" aria-describedby="caption-attachment-121752" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-121752" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/chart-3.png" alt="Victim count by ransomware family, December 2021, based on information captured from leak sites/name and shame blogs. Top ransomware families ordered by numbers of victims: Lockbit 2.0, Conti, Hive, Snatch, Grief, LV, BlackCat ransomware (ALPHV), AvosLocker, Quantum, Entropy, BlackByte, ROOK, LockBit, Vice Society, CLDP, Cubs, Lorenz, Sabbath, Atomsilo, AtomSilo, RansomEXX, RagnarLocker, etc." width="900" height="556" /><figcaption id="caption-attachment-121752" class="wp-caption-text">Figure 1. Leak site/name and shame blog statistics, December 2021.</figcaption></figure>
<p>Using the leak site information, we can understand the location and types of victims affected by BlackCat attacks. Victims include organizations in the following sectors: construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components and pharmaceuticals. Figure 2 breaks down the victims by country. However, the so-far sporadic spread of the attacks may indicate a somewhat opportunistic approach, as with most contemporary ransomware families.</p>
<figure id="attachment_121754" aria-describedby="caption-attachment-121754" style="width: 900px" class="wp-caption aligncenter"><img loading="lazy" class="wp-image-121754" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/chart-4.png" alt="Victims of BlackCat ransomware, based on data collected from leak sites, divided by country: USA 41.7%, Germany 16.7%, Netherlands 8.3%, France 8.3%, Spain 8.3%, Philippines 8.3%, Unknown 8.3%. " width="900" height="557" /><figcaption id="caption-attachment-121754" class="wp-caption-text">Figure 2. BlackCat leak site victims by country.</figcaption></figure>
<h2><a id="Technical-Details"></a>Technical Details</h2>
<p>BlackCat is positioned to pivot to individualized, customized attacks due to the numerous options available when coding in Rust (Figure 3). Rust programming has gained momentum due to its fast and high performance, powerful web application development, low overhead for embedded programming, and memory management resolution. Rust also facilitates the BlackCat author due to its efficiency regarding algorithms that power the encryption capability of the ransomware. Because of its efficiency and adaptability, BlackCat has been seen targeting both Windows and Linux systems.</p>
<figure id="attachment_121756" aria-describedby="caption-attachment-121756" style="width: 836px" class="wp-caption aligncenter"><img loading="lazy" class="wp-image-121756" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/word-image-77.png" alt="BlackCat is positioned to pivot to individualized, customized attacks due to the numerous options available when coding in Rust, as shown in this screenshot. " width="836" height="454" /><figcaption id="caption-attachment-121756" class="wp-caption-text">Figure 3. BlackCat execution options.</figcaption></figure>
<p>In an effort to maintain longevity, the use of the <span style="font-family: 'courier new', courier, monospace;">--access-token</span> flag is required to execute the ransomware, which can make it harder to analyze in sandboxed environments.</p>
<h3><a id="BlackCat-Config"></a>BlackCat Config</h3>
<p>While analyzing the ransomware configurations, we observed numerous evasion tactics deployed. These evasion techniques are used in an effort to impair or disable system defenses as well as to stop certain applications that may lock files open on disk, causing problems when trying to encrypt them. BlackCat attempts to kill several processes and services to hinder or prevent security solutions and backups. The process list checked is as follows:</p>
<p><span style="font-family: 'courier new', courier, monospace;">agntsvc, dbeng50, dbsnmp, encsvc, excel, firefox, infopath, isqlplussvc, msaccess, mspub, mydesktopqos, mydesktopservice, notepad, ocautoupds, ocomm, ocssd, onenote, oracle, outlook, powerpnt, sqbcoreservice, sql, steam, synctime, tbirdconfig, thebat, thunderbird, visio, winword, wordpad, xfssvccon, *sql*, bedbh, vxmon, benetns, bengien, pvlsvr, beserver, raw_agent_svc, vsnapvss, CagService, QBIDPService, QBDBMgrN, QBCFMonitorService, SAP, TeamViewer_Service, TeamViewer, tv_w32, tv_x64, CVMountd, cvd, cvfwd, CVODS, saphostexec, saposcol, sapstartsrv, avagent, avscc, DellSystemDetect, EnterpriseClient, VeeamNFSSvc, VeeamTransportSvc, VeeamDeploymentSvc</span></p>
<p>The services running on the compromised system are checked against the following list:</p>
<p><span style="font-family: 'courier new', courier, monospace;">mepocs, memtas, veeam, svc$, backup, sql, vss, msexchange, sql$, mysql, mysql$, sophos, MSExchange, MSExchange$, WSBExchange, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, GxBlr, GxVss, GxClMgrS, GxCVD, GxCIMgr, GXMMM, GxVssHWProv, GxFWD, SAPService, SAP, SAP$, SAPD$, SAPHostControl, SAPHostExec, QBCFMonitorService, QBDBMgrN, QBIDPService, AcronisAgent, VeeamNFSSvc, VeeamDeploymentService, VeeamTransportSvc, MVArmor, MVarmor64, VSNAPVSS, AcrSch2Svc</span></p>
<p>In an effort to maintain persistence, the BlackCat ransomware excludes key system and application folders – as well as key components – from encryption so as not to render the system and ransomware inoperative. The folders excluded are as follows:</p>
<p><span style="font-family: 'courier new', courier, monospace;">system volume information, intel, $windows.~ws, application data, $recycle.bin, mozilla, $windows.~bt, public, msocache, windows, default, all users, tor browser, programdata, boot, config.msi, google, perflogs, appdata, windows.old</span></p>
<p>Excluded file names are as follows:</p>
<p><span style="font-family: 'courier new', courier, monospace;">desktop.ini, autorun.inf, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini, ntuser.dat.log</span></p>
<p>Any file with an extension matching the following list will also be avoided:</p>
<p><span style="font-family: 'courier new', courier, monospace;">themepack, nls, diagpkg, msi, lnk, exe, cab, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs, ldf, theme, mpa, nomedia, spl, cpl, adv, icl, msu</span></p>
<p>Hardcoded credentials stored within the BlackCat ransomware config lend credence to the likelihood that specific victims are being targeted. The credentials also allow BlackCat to move laterally within the victim’s system and/or network, often with administrative privileges. Credential access permits the ransomware to deploy additional tools that further propagate the attack. These observations have also been confirmed by <a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware">Symantec</a>.</p>
<h3><a id="Associated-Tools"></a>Associated Tools</h3>
<p>BlackCat has been observed using multiple – often legitimate – tools throughout their attacks, such as Mimikatz, LaZagne and WebBrowserPassView to recover stored passwords, as well as GO Simple Tunnel (GOST) and MEGAsync to exfiltrate data. Additionally, anti-forensics tools like fileshredder, an application to securely delete unwanted files beyond recovery, have also been leveraged during some BlackCat ransomware attacks investigated by Unit 42.</p>
<h2><a id="Post-compromise-Activities"></a>Post-compromise Activities</h2>
<p>Once candidate systems have been identified for encryption by the threat actors, the ransomware deployment occurs and all viable files will be encrypted. This process often involves renaming files to include another or a different file extension, such as <span style="font-family: 'courier new', courier, monospace;">wpzlbji</span>, in the example shown in Figure 4. As is commonplace with other ransomware strains, BlackCat ransomware will drop ransom notes on the compromised system(s) to inform the victim of what has happened and how to go about getting their data restored. Text files with the name <span style="font-family: 'courier new', courier, monospace;">RECOVER-[RANDOM]-FILES.txt</span> (where <span style="font-family: 'courier new', courier, monospace;">[RANDOM]</span> refers to the aforementioned file extension name) will be found on the compromised system containing information and instructions such as those in the example below:</p>
<figure id="attachment_121758" aria-describedby="caption-attachment-121758" style="width: 900px" class="wp-caption aligncenter"><img loading="lazy" class="wp-image-121758" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/word-image-78.png" alt="When BlackCat ransomware encrypts files, it renames them to include another or a different file extension, such as wpzlbji, as shown in this example. " width="900" height="666" /><figcaption id="caption-attachment-121758" class="wp-caption-text">Figure 4. An example of a BlackCat ransom note dropped on a compromised system.</figcaption></figure>
<p>BlackCat utilizes a unique onion domain with a victim-specific access key for the victim to use to learn more about the attack, their data, and what the threat actors want the victim to do next. The following example URL highlights the notation used by BlackCat ransomware:</p>
<p><span style="font-family: 'courier new', courier, monospace;">http://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid[.]onion/?access-key=${ACCESS_KEY}","note_short_text":"Important</span></p>
<p>Once the victim navigates to the onion site provided, they will see something similar to Figure 5 below. This site reiterates the problem and that the actor's Decrypt App private key is the only way to get their data back. The portal also provides chat facilities, the ransom amounts – which can differ depending on when the payment is sent – how to pay, and a way to test that the decryption works.</p>
<figure id="attachment_121765" aria-describedby="caption-attachment-121765" style="width: 624px" class="wp-caption aligncenter"><img loading="lazy" class="wp-image-121765 size-full" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/image4.png" alt="Example of information shown on an onion site for BlackCat victims. Typical features include the option to pay the ransom demand in either Monero or Bitcoin and a discounted demand price if the ransom is paid more quickly. " width="624" height="611" /><figcaption id="caption-attachment-121765" class="wp-caption-text">Figure 5. Example onion site information for BlackCat victims.</figcaption></figure>
<p><img loading="lazy" width="1" height="1" class="wp-image-121760" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/word-image-79.png" />Unit 42 has observed BlackCat affiliates asking for ransom amounts of up to $14 million, though they offered to discount this demand to $9 million if paid before the established time. Interestingly, the ransom demand gives the victim the option to pay not only in Bitcoin (the most common option) but also in Monero.</p>
<p>In some cases, BlackCat operators use the chat to threaten the victim, claiming they will perform a DDoS attack on the victims' infrastructure if the ransom is not paid. When it appears in addition to the use of a leak site, this practice is known as triple extortion, a tactic that was observed being used by groups like <a href="https://unit42.paloaltonetworks.com/ransomware-threat-report-highlights/">Avaddon</a> and <a href="https://unit42.paloaltonetworks.com/ransomware-threat-report-highlights/">Suncrypt</a> in the past.</p>
<p>One unique feature of BlackCat ransomware is that negotiation chats can only be accessed by those holding an access token key or ransom note – the group has made efforts to avoid third-party snooping.</p>
<h2><a id="Courses-of-Action"></a>Courses of Action</h2>
<p>This section documents the relevant tactics, techniques and procedures (TTPs) used by BlackCat ransomware and operators, mapping them directly to the Palo Alto Networks product(s) and service(s) protecting against them. It also further instructs customers on how to ensure their devices are appropriately configured.</p>
<table style="width: 101.283%;">
<tbody>
<tr>
<td style="width: 23.6915%;"><b><i>Product / Service</i></b></td>
<td style="width: 105.051%;">
<p style="text-align: center;"><b><i>Course of Action</i></b></p>
</td>
</tr>
<tr>
<td style="width: 128.742%;" colspan="2">
<p style="text-align: center;"><b><i>Discovery</i></b></p>
</td>
</tr>
<tr>
<td style="width: 128.742%;" colspan="2">
<p style="text-align: center;"><i><span style="font-weight: 400;">The below courses of action mitigate the following techniques:</span></i></p>
<p style="text-align: center;"><i><span style="font-weight: 400;">Process Discovery [</span></i><a href="https://attack.mitre.org/techniques/T1057"><i><span style="font-weight: 400;">T1057</span></i></a><i><span style="font-weight: 400;">], File and Directory Discovery [</span></i><a href="https://attack.mitre.org/techniques/T1083"><i><span style="font-weight: 400;">T1083</span></i></a><i><span style="font-weight: 400;">]</span></i></p>
</td>
</tr>
<tr>
<td style="width: 23.6915%;"><i><span style="font-weight: 400;">CORTEX XDR PREVENT</span></i></td>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Configure Behavioral Threat Protection under the Malware Security Profile</span></i></td>
</tr>
<tr>
<td style="width: 128.742%;" colspan="2">
<p style="text-align: center;"><b><i>Lateral Movement</i></b></p>
</td>
</tr>
<tr>
<td style="width: 128.742%;" colspan="2">
<p style="text-align: center;"><i><span style="font-weight: 400;">The below courses of action mitigate the following techniques:</span></i></p>
<p style="text-align: center;"><i><span style="font-weight: 400;">Lateral Tool Transfer [</span></i><a href="https://attack.mitre.org/techniques/T1570"><i><span style="font-weight: 400;">T1570</span></i></a><i><span style="font-weight: 400;">]</span></i></p>
</td>
</tr>
<tr>
<td style="width: 23.6915%;" rowspan="3"><i><span style="font-weight: 400;">THREAT PREVENTION</span></i><i><span style="font-weight: 400;">†</span></i></td>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories and threats</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure a secure antivirus profile is applied to all relevant security policies</span></i></td>
</tr>
<tr>
<td style="width: 128.742%;" colspan="2">
<p style="text-align: center;"><b><i>Command and Control</i></b></p>
</td>
</tr>
<tr>
<td style="width: 128.742%;" colspan="2">
<p style="text-align: center;"><i><span style="font-weight: 400;">The below courses of action mitigate the following techniques:</span></i></p>
<p style="text-align: center;"><i><span style="font-weight: 400;">Multi-hop Proxy [</span></i><a href="https://attack.mitre.org/techniques/T1090/003"><i><span style="font-weight: 400;">T1090.003</span></i></a><i><span style="font-weight: 400;">]</span></i></p>
</td>
</tr>
<tr>
<td style="width: 23.6915%;" rowspan="6"><i><span style="font-weight: 400;">THREAT PREVENTION</span></i><i><span style="font-weight: 400;">†</span></i></td>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories and threats</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the internet</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure DNS sinkholing is configured on all anti-spyware profiles in use</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure a secure antivirus profile is applied to all relevant security policies</span></i></td>
</tr>
<tr>
<td style="width: 23.6915%;" rowspan="5"><i><span style="font-weight: 400;">ADVANCED URL FILTERING</span></i><i><span style="font-weight: 400;">†</span></i></td>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure that URL Filtering uses the action of “block” or “override” on the URL categories</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure secure URL filtering is enabled for all security policies allowing traffic to the internet</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure that Advanced URL Filtering is used</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure that access to every URL is logged</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure all HTTP Header Logging options are enabled</span></i></td>
</tr>
<tr>
<td style="width: 23.6915%;" rowspan="2"><i><span style="font-weight: 400;">CORTEX XSOAR</span></i></td>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Deploy XSOAR Playbook - PAN-OS Query Logs for Indicators</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Deploy XSOAR Playbook - Palo Alto Networks - Hunting And Threat Detection</span></i></td>
</tr>
<tr>
<td style="width: 23.6915%;" rowspan="6"><i><span style="font-weight: 400;">NEXT-GENERATION FIREWALLS</span></i></td>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure 'SSL Forward Proxy Policy' for traffic destined to the internet is configured</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources exists</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure that the Certificate used for Decryption is Trusted</span></i></td>
</tr>
<tr>
<td style="width: 128.742%;" colspan="2">
<p style="text-align: center;"><b><i>Exfiltration</i></b></p>
</td>
</tr>
<tr>
<td style="width: 128.742%;" colspan="2">
<p style="text-align: center;"><i><span style="font-weight: 400;">The below courses of action mitigate the following techniques:</span></i></p>
<p style="text-align: center;"><i><span style="font-weight: 400;">Exfiltration to Cloud Storage [</span></i><a href="https://attack.mitre.org/techniques/T1567/002"><i><span style="font-weight: 400;">T1567.002</span></i></a><i><span style="font-weight: 400;">]</span></i></p>
</td>
</tr>
<tr>
<td style="width: 23.6915%;" rowspan="5"><i><span style="font-weight: 400;">URL FILTERING</span></i><i><span style="font-weight: 400;">†</span></i></td>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure secure URL filtering is enabled for all security policies allowing traffic to the internet</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure all HTTP Header Logging options are enabled</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure that URL Filtering uses the action of ‘block’ or ‘override’ on the URL categories</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure that access to every URL is logged</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Ensure that Advanced URL Filtering is used</span></i></td>
</tr>
<tr>
<td style="width: 128.742%;" colspan="2">
<p style="text-align: center;"><b><i>Impact</i></b></p>
</td>
</tr>
<tr>
<td style="width: 128.742%;" colspan="2">
<p style="text-align: center;"><i><span style="font-weight: 400;">The below courses of action mitigate the following techniques:</span></i></p>
<p style="text-align: center;"><i><span style="font-weight: 400;">Data Encrypted for Impact [</span></i><a href="https://attack.mitre.org/techniques/T1486"><i><span style="font-weight: 400;">T1486</span></i></a><i><span style="font-weight: 400;">], Service Stop [</span></i><a href="https://attack.mitre.org/techniques/T1489"><i><span style="font-weight: 400;">T1489</span></i></a><i><span style="font-weight: 400;">], Inhibit System Recovery [</span></i><a href="https://attack.mitre.org/techniques/T1490"><i><span style="font-weight: 400;">T1490</span></i></a><i><span style="font-weight: 400;">]</span></i></p>
</td>
</tr>
<tr>
<td style="width: 23.6915%;" rowspan="2"><i><span style="font-weight: 400;">CORTEX XSOAR</span></i></td>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Deploy XSOAR Playbook - Ransomware Manual for incident response.</span></i></td>
</tr>
<tr>
<td style="width: 105.051%;"><i><span style="font-weight: 400;">Deploy XSOAR Playbook - Palo Alto Networks Endpoint Malware Investigation</span></i></td>
</tr>
</tbody>
</table>
<p style="text-align: center;"><span style="color: #999999; font-size: 12pt;"><sup><em>Table 1. Courses of Action for BlackCat ransomware.<br />
</em><em>†These capabilities are part of the NGFW security subscriptions service</em></sup></span></p>
<h2><a id="Conclusion"></a>Conclusion</h2>
<p>BlackCat is an innovative and sophisticated ransomware family that is rapidly forming a reputation for its highly customized and individualized attacks. By leveraging the Rust programming language, the malware authors are able to easily compile it against various operating system architectures, which facilitates the group’s ability to pivot from one victim to the next. As seen with other ransomware families, BlackCat operates with a RaaS model and utilizes multiple extortion techniques, then publishes a leak site to further pressure victims into paying the ransom.</p>
<p>Palo Alto Networks detects and prevents BlackCat ransomware in the following ways:</p>
<ul>
<li><a href="https://www.paloaltonetworks.com/products/secure-the-network/wildfire">WildFire</a>: All known samples are identified as malware.</li>
<li><a href="https://www.paloaltonetworks.com/cortex/cortex-xdr">Cortex XDR</a> with:
<ul>
<li>Indicators for BlackCat.</li>
<li>Anti-Ransomware Module to detect BlackCat encryption behaviors on Windows.</li>
<li>Local Analysis detection for BlackCat binaries on Windows.</li>
<li>BTP rule prevents Ransomware activity on Linux.</li>
</ul>
</li>
<li><a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall">Next-Generation Firewalls</a>: DNS Signatures detect the known command and control (C2) domains, which are also categorized as malware in <a href="https://www.paloaltonetworks.com/products/threat-detection-and-prevention/web-security">URL Filtering</a>.</li>
</ul>
<p>Indicators of compromise and BlackCat-associated TTPs can be found in the <a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.BlackCat">BlackCat</a> ATOM.</p>
<p>If you think you may have been compromised or have an urgent matter, get in touch with the <a href="http://start.paloaltonetworks.com/contact-unit42.html">Unit 42 Incident Response team</a> or call North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, APAC: +65.6983.8730, or Japan: +81.50.1790.0200.</p>
<p>Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the <a href="http://www.cyberthreatalliance.org">Cyber Threat Alliance</a>.</p>
<h2><a id="Additional-Resources"></a>Additional Resources</h2>
<ul>
<li><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware">Noberus: Technical Analysis Shows Sophistication of New Rust-Based Ransomware</a></li>
<li><a href="https://unit42.paloaltonetworks.com/ransomware-threat-report-highlights/">Highlights from the 2021 Unit 42 Ransomware Threat Report</a></li>
</ul>
<h2><a id="Acknowledgments"></a>Acknowledgements</h2>
<p>We would like to thank Simon Conant for his help with sample collection, and malware and infrastructure analysis.</p>
          <div class="article__subscribe mb-40 text-gray-400 bg-gray-200 rounded-lg">
  <h4 class="h3 mb-10 text-black">Get updates from <br class="d-sm-none"> Palo Alto<br class="d-sm-none"> Networks!</h4>
  <p>Sign up to receive the latest news, cyber threat intelligence and research from us</p>
  <!-- <form action="https://app-guse4001.marketo.com/index.php/leadCapture/save2" method="post" novalidate class="subscribe-form py-25" name="Unit42_Subscribe"> -->
  <form action="https://start.paloaltonetworks.com/index.php/leadCapture/save2" method="post" novalidate class="subscribe-form py-25" name="Unit42_Subscribe">
    <input type="hidden" name="emailFormMask" value="">
    <input type="hidden" value="1086" name="formid">
    <!-- <input type="hidden" value="818-CZC-273" name="munchkinId"> -->
    <input type="hidden" value="531-OCS-018" name="munchkinId">
    <input type="hidden" value="2141" name="lpId">
    <input type="hidden" value="1086" name="formVid">
    <input type="hidden" name="mkto_optinunit42" value="true">
    <input type="hidden" name="mkto_opt-in" value="true">
    <div class="row">
      <div class="col-sm col-12 mb-sm-0 mb-15">
        <input type="email" name="Email" placeholder="Email address" class="subscribe-field d-block w-100 px-sm-25 px-15 bg-white">
        <p class="error-mail d-none mt-15 text-danger" style="color: #dc3545">Please enter your email address!</p>
      </div>
      <div class="col-sm-auto col-12">
          <input type="submit" value="Subscribe" class="btn btn--black btn--sm w-100" disabled="disabled">
      </div>
    </div>

    <div class="google-recapth mt-15">
      <div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6LfKOrwUAAAAAOwgjxrEcx-pcfwe8OquUw6ommTK"></div>
      <p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Please mark, I'm not a robot!</p>
    </div>
  </form>

  <div class="font-size-ex-sm col-sm-7 p-0">
    <p>By submitting this form, you agree to our <a href="https://www.paloaltonetworks.com/legal-notices/terms-of-use">Terms of Use</a> and acknowledge our <a href="https://www.paloaltonetworks.com/legal-notices/privacy">Privacy Statement</a>.</p>
  </div>
</div>


        </div>
      </div>
    </div>
  </article>
<footer class="site-footer px-sm-0 px-15">
  <div class="pt-40">
    <div class="container pt-sm-30">
      <div class="row justify-content-lg-center">
        <div class="col-lg-11 col-12">
          <div class="row">
            <div class="col-lg-4 col-sm-3 col-12 order-sm-2">
              <nav class="footer-socials mb-sm-0 mb-25 text-white text-sm-right">
                                                <a href="https://twitter.com/Unit42_Intel" target="_blank"><span class="ui ui-4"></span></a>
                <a href="https://github.com/pan-unit42" target="_blank"><span class="ui ui-5"></span></a>
              </nav>
            </div>

            <div class="col-lg-8 col-sm-9 col-12 order-sm-1">
              <div class="row">
                <div class="col-sm col-12 footer-widget widget_nav_menu"><h4 class="h6 mb-15 font-weight-black">Popular Resources</h4><div class="menu-footer-company-phase-container"><ul id="menu-footer-company-phase" class="menu"><li id="menu-item-97096" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97096"><a target="_blank" href="https://www.paloaltonetworks.com/resources">Resource Center</a></li>
<li id="menu-item-97097" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97097"><a target="_blank" href="https://researchcenter.paloaltonetworks.com/">Blog</a></li>
<li id="menu-item-97098" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97098"><a target="_blank" href="https://www.paloaltonetworks.com/communities">Communities</a></li>
<li id="menu-item-97099" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97099"><a target="_blank" href="https://docs.paloaltonetworks.com/">Tech Docs</a></li>
<li id="menu-item-97100" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-97100"><a href="https://unit42.paloaltonetworks.com/">Unit 42</a></li>
<li id="menu-item-97101" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97101"><a target="_blank" href="https://www.paloaltonetworks.com/sitemap">Sitemap</a></li>
</ul></div></div><div class="col-sm col-12 footer-widget widget_nav_menu"><h4 class="h6 mb-15 font-weight-black">Legal Notices</h4><div class="menu-footer-legal-notices-phase-container"><ul id="menu-footer-legal-notices-phase" class="menu"><li id="menu-item-97093" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97093"><a target="_blank" href="https://www.paloaltonetworks.com/legal-notices/privacy">Privacy</a></li>
<li id="menu-item-97094" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97094"><a target="_blank" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use">Terms of Use</a></li>
<li id="menu-item-97095" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97095"><a target="_blank" href="https://www.paloaltonetworks.com/legal">Documents</a></li>
</ul></div></div><div class="col-sm col-12 footer-widget widget_nav_menu"><h4 class="h6 mb-15 font-weight-black">Account</h4><div class="menu-footer-trending-topics-phase-container"><ul id="menu-footer-trending-topics-phase" class="menu"><li id="menu-item-97102" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97102"><a href="https://start.paloaltonetworks.com/preference-center">Manage Subscriptions</a></li>
<li id="menu-item-97103" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97103"><a href="#">&nbsp;</a></li>
<li id="menu-item-97104" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97104"><a href="https://www.paloaltonetworks.com/security-disclosure">Report a Vulnerability</a></li>
</ul></div></div>              </div>
            </div>
          </div>

          
            <div class="copyrights py-25 mt-40">
               <p>© 2022 Palo Alto Networks, Inc. All rights reserved.</p>
            </div>
          
        </div>
      </div>
    </div>
  </div>
</footer>
<script type="text/javascript">
    const observer_lozad = lozad('.lozad, .lozad-background'); // lazy loads elements with default selector as '.lozad'
      observer_lozad.observe();
        if(referer == "Prisma" || referer == "Cortex" || referer == "Sase"){
	var Coveo_organizationId = "paloaltonetworksintranet";        
        var techDocsPagePath = "https://docs.paloaltonetworks.com/search.html#hd=All%20Prisma%20Cloud%20Documentation&hq=%40panproductcategory%3D%3D(%22Prisma%20Cloud%22)&sort=relevancy&layout=card&numberOfResults=25";
        var languageFromPath="en_US";
        window.Granite = window.Granite || {};
	Granite.I18n = (function() {
		var self = {};
		self.setLocale = function(locale) { };
		self.get = function(text, snippets, note) {
        	var out = "";
        	if(text){
        		if(text ==="coveo.clear"){
        			out = "Clear";
        		}else if(text ==="coveo.noresultsfound"){
        			out = "No results found for this search term.";
        		}
        	}
        	return out;
        };
        return self
	}());
}
/*
    var Coveo_organizationId = "paloaltonetworksintranetsandbox1";
    var searchResultsPagePath = "https://www.paloaltonetworks.com/search/prismasearch";
    var techDocsPagePath = "https://docs.paloaltonetworks.com/search";
    var languageFromPath="en_US";
    */
       	var main_site_critical_top = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.js';
	var main_site_defered = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.js';
        window.PAN_MainNavAsyncUrl = maindomain_lang+"/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html";

function loadScript(url, defer){
        var script1 = document.createElement('script');
        script1.setAttribute('type', 'text/javascript');
        script1.setAttribute('src',url);
        if(defer == true){
            script1.setAttribute('defer','defer');
        }
        document.head.appendChild(script1);
}
function loadScript1(url, callback){

        var script = document.createElement("script")
        script.type = "text/javascript";

        if (script.readyState){  //IE
            script.onreadystatechange = function(){
                if (script.readyState == "loaded" || script.readyState == "complete"){
                    script.onreadystatechange = null;
                    callback();
                }
            };
        } else {  //Others
            script.onload = function(){
                callback();
            };
        }

        script.src = url;
        document.getElementsByTagName("head")[0].appendChild(script);
}
if(referer == "Prisma" || referer == "Cortex" || referer == "Sase"){
                    loadScript1(main_site_critical_top, function(){
                            window.PAN_initializeProduct2021Nav();
                    });
                    loadScript(main_site_defered, false);
                }
</script>
    <script type="text/javascript">
	var isProcessing = false; 
    function alter_ul_post_values(obj,post_id,ul_type){
	
		if (isProcessing)    
		return;  
		isProcessing = true;   
		
		jQuery(obj).find("span").html("..");
                jQuery.ajax({
                    type: "POST",
                    url: "https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php",
                    data: "post_id="+post_id+"&up_type="+ul_type,
                    success: function(msg){
                            jQuery(obj).find("span").html(msg);
                            isProcessing = false; 
                            jQuery(obj).find('svg').children('path').attr('stroke','#0050FF');
                            jQuery(obj).removeClass('idc_ul_cont_not_liked idc_ul_cont_not_liked_inner');
                    }
 		});
	}
	</script>
    <link rel='stylesheet' id='wpdevart_lightbox_front_end_css-css'  href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/wpdevart_lightbox_front.css?ver=5.9.2' type='text/css' media='all' />
<link rel='stylesheet' id='wpdevart_lightbox_effects-css'  href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/effects_lightbox.css?ver=5.9.2' type='text/css' media='all' />
<script type='text/javascript' id='ppress-frontend-script-js-extra'>
/* <![CDATA[ */
var pp_ajax_form = {"ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","confirm_delete":"Are you sure?","deleting_text":"Deleting...","deleting_error":"An error occurred. Please try again.","nonce":"32063f4223","disable_ajax_form":"false"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/js/frontend.min.js?ver=3.2.9' id='ppress-frontend-script-js'></script>
<script type='text/javascript' src='https://www.google.com/recaptcha/api.js' id='google/api-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/scripts/main.js' id='unit42/js-js'></script>
<script type='text/javascript' id='wpdevart_lightbox_front_end_js-js-extra'>
/* <![CDATA[ */
var wpdevart_lb_variables = {"eneble_lightbox_content":"enable","overlay_transparency_prancent":"80","enable_video_popuping":"enable","popup_background_color":"#000000","popup_loading_image":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/popup_loading.png","popup_initial_width":"350","popup_initial_height":"300","popup_youtube_width":"640","popup_youtube_height":"410","popup_vimeo_width":"500","popup_vimeo_height":"410","popup_max_width":"5000","popup_max_height":"5000","popup_position":"5","popup_fixed_position":"true","popup_outside_margin":"0","popup_border_width":"2","popup_border_color":"#000000","popup_border_radius":"10","control_buttons_show":"true","control_buttons_show_in_content":"false","control_buttons_height":"30","control_buttons_line_bg_color":"#000000","control_button_prev_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/prev.png","control_button_prev_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/prev_hover.png","control_button_next_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/next.png","control_button_next_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/next_hover.png","control_button_download_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/download.png","control_button_download_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/download_hover.png","control_button_innewwindow_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/innewwindow.png","control_button_innewwindow_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/innewwindow_hover.png","control_button_fullwidth_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidth.png","control_button_fullwidht_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidth_hover.png","control_button_fullwidthrest_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidthreset.png","control_button_fullwidhtrest_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidthreset_hover.png","control_button_close_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/close.png","control_button_close_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/close_hover.png","information_panel_show":"false","information_panel_padding_top":"0","information_panel_padding_bottom":"0","information_panel_show_in_content":"false","information_panel_bg_color":"#000000","information_panel_default_transparency":"100","information_panel_hover_trancparency":"100","information_panel_count_image_after_text":"Image","information_panel_count_image_middle_text":"of","information_panel_count_padding_left":"15","information_panel_count_padding_right":"4","information_panel_count_font_size":"20","information_panel_desc_padding_left":"15","information_panel_desc_padding_right":"4","information_panel_desc_font_size":"20","information_panel_desc_show_if_not":"true","information_panel_text_for_no_caption":"No Caption","information_panel_title_padding_left":"5","information_panel_title_padding_right":"5","information_panel_title_font_size":"15","information_panel_title_show_if_not":"true","information_panel_text_for_no_title":"No Title","information_panel_ordering":"{\"count\":[1,\"count\"],\"title\":[0,\"title\"],\"caption\":[0,\"caption\"]}"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/javascript/wpdevart_lightbox_front.js?ver=1.0' id='wpdevart_lightbox_front_end_js-js'></script>
          
  </body>
</html>
